Norway


Morphing first stage

After we blocked the first set of apps on Google Play, new apps were uploaded with a similar format but had a couple of differences.

The apps changed from ‘backup’ apps to looking like a “cleaner”, “notepad”, “sound recorder”, and “alarm manager” app. The new apps were uploaded within a week of the takedown, showing that the authors have a method of easily changing the branding of the implant apps.
The app changed from downloading an unencrypted stage 2 to stage 2 as an encrypted blob. The new stage 1 would only decrypt and load the 2nd stage if it received an intent with an AES and IV.

Despite changing the type of app and the method to download stage 2, we were able to catch the new implant apps soon after upload.

How many devices were affected?

There were fewer than 100 devices that checked into Google Play Protect with the apps listed below. That means the affected only 0.000007% of Android devices. Since we identified Lipizzan, Google Play Protect removed Lipizzan from affected devices and actively blocks installs on new devices.

What can you do to protect yourself?

- imageedit 2 6804100304 - Blocking a new targeted spyware family
  • Ensure you are opted into Google Play Protect
  • Exclusively use the Google Play store. The chance you will install a PHA is much lower on Google Play than using other install mechanisms.
  • Keep “unknown sources” disabled while not using it.
  • Keep your phone patched to the latest Android update.

List of samples

1st stage

- Screen 2BShot 2B2017 07 26 2Bat 2B1 - Blocking a new targeted spyware family

Newer version 

- Screen 2BShot 2B2017 07 26 2Bat 2B1 - Blocking a new targeted spyware family

Standalone 2nd stage

- Screen 2BShot 2B2017 07 26 2Bat 2B1 - Blocking a new targeted spyware family



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here